Configuration examples for nsel – Cisco ASA 5505 User Manual

Page 1776

Advertising
background image

78-12

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 78 Configuring NetFlow Secure Event Logging (NSEL)

Configuration Examples for NSEL

Configuration Examples for NSEL

The following examples show how to filter NSEL events, with the specified collectors already
configured:

flow-export destination inside 209.165.200.2055

flow-export destination outside 209.165.201.29 2055

flow-export destination outside 209.165.201.27 2055

Log all events between hosts 209.165.200.224 and hosts 209.165.201.224 to 209.165.200.230, and log
all other events to 209.165.201.29:

hostname (config)# access-list flow_export_acl permit ip host 209.165.200.224 host

209.165.201.224

hostname (config)# class-map flow_export_class

hostname (config-cmap)# match access-list flow_export_acl

hostname (config)# policy-map flow_export_policy

hostname (config-pmap)# class flow_export_class

hostname (config-pmap-c)# flow-export event-type all destination 209.165.200.230

hostname (config-pmap)# class class-default

hostname (config-pmap-c)# flow-export event-type all destination 209.165.201.29

hostname (config)# service-policy flow_export_policy global

Log flow-create events to 209.165.200.230, flow-teardown events to 209.165.201.29, flow-denied
events to 209.165.201.27, and flow-update events to 209.165.200.230:

hostname (config)# policy-map flow_export_policy

hostname (config-pmap)# class class-default

hostname (config-pmap-c)# flow-export event-type flow-creation destination 209.165.200.230

hostname (config-pmap-c)# flow-export event-type flow-teardown destination 209.165.201.29

hostname (config-pmap-c)# flow-export event-type flow-denied destination 209.165.201.27

hostname (config-pmap-c)# flow-export event-type flow-update destination 209.165.200.230

hostname (config)# service-policy flow_export_policy global

Log flow-create events between hosts 209.165.200.224 and 209.165.200.230 to 209.165.201.29, and log
all flow-denied events to 209.165.201.27:

hostname (config)# access-list flow_export_acl permit ip host 209.165.200.224 host

209.165.200.230

hostname (config)# class-map flow_export_class

hostname (config)# match access-list flow_export_acl

hostname (config)# policy-map flow_export_policy

hostname (config-pmap)# class flow_export_class

hostname (config-pmap-c)# flow-export event-type flow-creation destination 209.165.200.29

hostname (config-pmap-c)# flow-export event-type flow-denied destination 209.165.201.27

hostname (config-pmap)# class class-default

hostname (config-pmap-c)# flow-export event-type flow-denied destination 209.165.201.27

hostname (config)# service-policy flow_export_policy global

Note

You must enter the following command:

hostname (config-pmap-c)# flow-export event-type flow-denied destination

209.165.201.27

for flow_export_acl, because traffic is not checked after the first match, and you must explicitly define
the action to log flow-denied events that match flow_export_acl.

Log all traffic except traffic between hosts 209.165.201.27 and 209.165.201.50 to 209.165.201.27:

hostname (config)# access-list flow_export_acl deny ip host 209.165.201.30 host

209.165.201.50

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals